From Silence to Strike: Tracking Iran's Cyber Escalation in Real Time

On March 12, medical technology giant Stryker confirmed a cyberattack that wiped devices across 79 countries. The pro-Iran group Handala claimed responsibility, saying they destroyed more than 200,000 systems and stole 50 terabytes of data. Stryker manufactures surgical tools and implants used by hospitals worldwide, holds DOD contracts, and acquired Israeli medical
tech firm OrthoSpace in 2019.

In the weeks leading up to the war, what concerned us wasn't the groups making noise. It was the ones that had gone quiet.

What The Silence Told Us

The signs were there before the kinetic strikes even started. Symantec research later confirmed that MuddyWater, a group CISA has called a subordinate element within Iran's Ministry of Intelligence and Security, had been active on US networks since early February. They were on the networks of a US bank, a US airport, and a defense-aerospace software supplier, with the software company's Israeli operations appearing to be the specific target. The group had deployed a brand-new backdoor called Dindoor that nobody had seen before, signed with stolen certificates and using legitimate cloud storage for exfiltration. Everything built to look like normal business traffic. This was weeks before the February 28 strikes.

On March 2, when the conversation was mostly about DDoS and ransomware as the expected retaliation playbook, we couldn’t help but notice that Iran's most capable espionage groups had gone quiet during the biggest crisis in their country's modern history. It seemed reasonable to think that silence probably meant pre-positioning, not inactivity, and urged organizations in energy, financial services, defense, and healthcare to start hunting for anomalous access. This would be proven out four days later when Symantec confirmed what MuddyWater was up to.

Then came Stryker. A Fortune 500 US company with Israeli business ties, hit not with espionage tools but with a destructive wiper. The shift from intelligence gathering to destruction was underway.

Two Groups, One Target Profile

Both MuddyWater and Handala are tied to Iran's Ministry of Intelligence and Security, but they do very different things. 

MuddyWater, also known as Seedworm, has been around since 2017. They build custom tooling, run spear-phishing campaigns, and focus on getting persistent access for intelligence collection. In this campaign, they deployed at least three distinct backdoors and used Rclone to push stolen data to Wasabi and Backblaze cloud storage. Stolen certificates to sign malware, legitimate cloud services for command and control. Everything looks normal until you trace the full sequence. 

Handala is the other side of the coin. On the surface they look like a hacktivist group aligned with pro-Palestine sentiment, but the cybersecurity community widely assesses them as a front for Void Manticore, another MOIS-linked actor. Destruction is their thing. Custom wiper malware for Windows and Linux. Before Stryker, they went after Israeli military weather servers, healthcare networks, oil and gas companies, and sent fake missile alerts to Israeli schools. 

Here's the part that should concern defenders: the espionage groups go in first and map the environment, then the destructive groups follow. MuddyWater was already inside US networks before the kinetic strikes landed on February 28. Handala came in swinging after.

The Inherited Trust Problem

How Handala hit Stryker matters as much as the fact that they hit them. Based on employee reports and now confirmed by multiple researchers including Brian Krebs, Handala got into Stryker's Microsoft Intune environment and used the platform's own capabilities to remotely wipe every enrolled device. Laptops, servers, corporate phones, even employees' personal devices that were connected to corporate systems. No malware needed. They used the native features of an enterprise management tool to cause destruction at scale. Stryker's SEC filing confirmed "no indication of ransomware or malware." The management platform did the
damage.

As we write this, the situation keeps getting worse. Stryker has confirmed that order processing, manufacturing, and shipping have all been disrupted, with no timeline for full restoration. Thousands of employees across Ireland, the US, Australia, and India are locked out. For a company that makes surgical tools and implants used in operating rooms around the world, this goes well beyond IT. Hospitals that depend on Stryker's products are feeling it right now.

We've been watching this same dynamic play out across multiple incidents in 2026. VMware Aria Operations, Cisco Secure Firewall Management Center, Cisco SD-WAN controllers, and now MDM. We've started calling it the inherited trust problem. Management and orchestration tools carry the deepest access in your environment because that's how they're designed to work. MDM platforms can factory reset every device in your fleet. Firewall management consoles can rewrite your security policies. When attackers take over the management plane, the tool does
the damage for them.

What Comes Next

This campaign is not over. Threat intelligence analysts are projecting Iranian cyber operations to continue through mid-April, with more destructive attacks expected as Iran's operational capabilities recover from the initial internet disruption. More than 60 hacktivist groups spun up within hours of the February 28 strikes. During the June 2025 Twelve-Day War, cyberattacks surged 700% within 48 hours. We've seen how fast this can escalate.

We're watching three things closely right now. 

OT and industrial control systems. CyberAv3ngers, an IRGC-affiliated group that hit US water utilities in 2023, has since deployed a custom OT malware called IOCONTROL that can target PLCs, HMIs, and IoT devices from Siemens, Allen-Bradley, Schneider Electric, and others. An IRGC-linked offensive OT framework called Black Industry has shown up on dark web markets with capabilities including multi-protocol scanning, PLC persistence, and air-gap penetration tools. There are roughly 40,000 internet-exposed ICS devices in the United States, many at water utilities and energy facilities running on tight budgets. Wiper attacks on IT environments may be the opening salvo. OT is where it gets really dangerous.

Supply chain and managed service provider compromise. MuddyWater's targeting of a defense- aerospace software supplier wasn't just about that company. It was about what that company connects to. Iranian groups have a documented track record of using third-party vendors and MSPs as doorways into larger organizations. You don't need Israeli business ties to be in scope. You just need to serve someone who does.

Iran's internet workaround. Domestic connectivity dropped to 1-4% of normal capacity after the strikes, but that hasn't stopped anything. Handala was reportedly using Starlink satellite connectivity before the current conflict even began. Pre-positioned implants and operators based outside Iran keep working regardless of what happens to domestic infrastructure. The idea that Iran going dark limits their offensive capability has already been put to rest.

What Defenders Should Do Now

If your organization has Israeli business ties, DOD contracts, or sits anywhere in the defense, healthcare, energy, or financial services supply chain, treat this as a heightened threat period.

Go through your management tools: MDM, firewall management consoles, infrastructure
monitoring, workflow automation. Can a single compromised admin account wipe your fleet or rewrite your security policies? If the answer is yes, or you're not sure, that's the first thing to fix. These tools have the deepest access in your environment, and Stryker just showed us what happens when they're turned against you.

Hunt for anomalous access going back to early February. MuddyWater was already inside before the shooting started. Look for unexpected cloud storage connections, especially to Wasabi and Backblaze. Check for certificates you didn't issue. Watch for unusual data volumes heading outbound.

If you run OT or ICS environments, don't assume the air gap will save you. Review segmentation between IT and OT. Check whether your PLCs are still on default credentials. Make sure your HMIs aren't reachable from the internet.

Make sure your backups are isolated and tested. Wiper attacks don't come with a
decryption key. Your ability to get back up and running depends entirely on whether your
backup infrastructure is separated from everything that just got wiped.

The pre-positioning phase is over. We're in the execution phase now, and based on what we're seeing, it's going to get worse before it gets better. Start hunting now. Don't wait for something to break.